Businesses held to online ransom

By Darren PauliMay 24, 2018

Ransomware last year brought to a halt a chocolate factory, a metropolitan council, and an accountancy firm among scores of other Australian organisations by turning mission-critical data into an unreadable mess. But much of the impact from the events could have been reduced with a well-oiled business continuity plan.

Ransomware is a class of malicious software that encrypts data so it cannot be read or used by applications. Its perpetrators often promise to supply a decryption key to return the data to a normal state only after a ransom is paid.

The number of organisations impacted by ransomware is unknown since victims are often unwilling to report incidents to authorities, however, security companies claim in surveys that almost half of Australian businesses have been impacted by ransomware.

Some businesses are hit multiple times; Exchange knows of one accountancy firm that was hit three times by ransomware losing data each time, despite having attempted to recover and mitigate after each attack.

The financial impact to businesses can run into millions of dollars per incident with much cost ascribed to downtime and recovery efforts. Ransom demands by those behind the most effective ransomware forms is regularly tens of thousands of dollars.

Risky click and a mean trick

Ransomware is delivered through a wide variety of mechanisms. The most common forms of ransomware such as Cryptolocker may be sent by criminals in phishing emails, or woven into booby-trapped downloads or websites which then infect the computers they are exposed to.

Other ransomware forms such as the global cyber attacks known as Wannacry and NotPetya spread without the need for people to open email attachments or dodgy downloads. They did this by targeting vulnerable functions of computers and networks that were left turned on, loosely akin to thieves slipping through open doors.

Much of the defence against ransomware comes down to good security practice. This includes not running software from untrusted sources like unofficial websites and unknown email or chat conversations, and in ensuring systems are set to automatically apply updates (patches) when they are available.

Security vendors including ESET have created jargon-free guides for technical defences against ransomware which recommend patching, disabling a function called RDP, and filtering executables in emails.

However, business continuity plans are some of the more overlooked yet simplest controls that can help mitigate the large cost of business downtime from ransomware infections.

Lights on

Ransomware can and has stopped global shipping supplies. It has thrown hospital emergency rooms into chaos, brought down the biggest Hollywood movie studios, and forced countless businesses back to pen and paper.

“Business continuity planning might not save you from ransomware but it may save your reputation or your share price,” says Mark Cohen, a Melbourne-based business continuity manager at Telstra. “It will show you can operate in a crisis.”

Cohen says business continuity planning applies to all organisations, from the “fish and chips shop to a doctor’s surgery to enterprises” and helps in a large number of disasters, beyond ransomware.

To avoid disaster in ransomware incidents, all businesses must back up their critical data on a regular basis on different mediums following the 3-2-1 rule. This means the original copy should be backed up on two different mediums, say a cloud service and a disk drive, with the disk drive stored in a physically separated location. Cloud services and any drive connected to business computers via cables or WiFi can be affected in ransomware attacks.

“With back-ups in place, the mindset of how to operate when tech systems go dark and data is inaccessible is key”, Cohen says. Business owners and staff should think about where their critical data is, and whether it is readily and immediately available offline in the form of offline and isolated storage like USB sticks and external disk drives, or on paper documents.

“Ask yourself what are you going to do in a disaster to continue to provide service to your customers?” Cohen says.

Restoring from back-ups can take a long time. And, while some major ransomware forms are as-yet impossible to unravel and are sent by attackers who honour ransoms with decryption keys, other forms are poorly-built and can never be decrypted.

It is the expensive downtime between the restoration of back-ups or the wait for decryption keys that Cohen’s planning hopes to reduce.

“[Recovering from] ransomware is more than just file retrieval – it’s about what you are doing when that is happening and how you are addressing your customers,” Cohen says.

Simple business continuity

Stage 1: Understand and map your business. Start from the top. Once done, have management set a policy of their expectations including recovery time objectives.Stage 2: List all your dependencies – Your physical sites, staff, mission critical applications, suppliers / vendors, and any other dependency you think is critical to the operation of your business. Remember that while you might outsource the task, the risk and accountability stays with you.Stage 3: Distil your dependencies and address the mission critical ones by developing effective strategies for operating when a disaster occurs.Stage 4: Test, validate, and continue to improve your strategies on an ongoing basis.

“Plans must be tested too. The first test run is the most arduous with each iteration becoming easier with small tweaks added to the central plans,” Cohen says. “It is there that you discover your recovery time capability (RTC).

“Business continuity planning clauses are written into major contracts so having one, practicing it, and demonstrating its effectiveness will help you win and retain business – along with helping you, your manager, and your shareholders sleep well at night.”

Darren is an information security reporter with more than a decade's experience in the beat. He came to Telstra's cyber security unit after serving as an infosec correspondent for various tech-focused publications. You'll find Darren in his spare time pursuing all things fitness and breaking things on his motorbike and around the house.